By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

Ask a question

Enterprises facing BYOD security issues tend to deal with a common problem: employees don’t appreciate that using their own mobile device in a work context doesn’t exempt them from following security policy. Breaches often occur because employees don’t appreciate the potential consequences of their actions, such as circumventing access restrictions to save time and hassle. The line between personal use and business use is certainly not easy to draw, but overall enterprise security should not be undermined by these devices.

How an enterprise structures its policy depends to some extent on the type of BYOD it operates. If it’s shared management, in which employees give the right to manage, lock down or even wipe clean the devices, or corporate ownership, in which the organization purchases and retains ownership of the device, the enterprise is in a much better position to enforce its acceptable use agreement. If the devices are employee-owned I would push for a legal transfer system, which would involve the enterprise purchasing the devices from the employees, and returning ownership of the devices to them if they leave the organization.

A mobile phone, whether it’s owned by an enterprise or a user, is effectively a cross between a laptop and a communications device, so a good starting point for drafting a BYOD AUA is an enterprise’s acceptable usage policy covering laptop and email use. Some key topics to cover when creating an AUA include: a code of conduct when communicating on business matters, what can and can't be discussed, what actions should be taken if the device is lost or stolen, and which types of data can and can't be accessed from or copied to the device. To avoid confusion, always provide examples of how data should be handled on a BYOD device.

Involving staff in the development of an AUA is vital in order to keep them onboard whilst still achieving the necessary security objectives. If a policy is impractical, employees – including executives – won’t follow it. First, help employees understand the threat mobile devices pose to security by sharing the results of the organization’s risk assessment. Employees will usually suggest ways to mitigate some of the risks and, more importantly, they will accept the need for what they might initially perceive as tedious and unnecessary controls. When employees understand the reasoning behind a particular security control, they are far less likely to ignore it. By ensuring their needs are either met or an acceptable compromise is provided, employees are more likely to embrace the resulting policy and working practices instead of utilizing non-compliant and unsecure workarounds.

Data ownership is a key aspect of any security policy, so make sure employees fully appreciate their role and responsibilities in keeping data secure. A mobile device, for example, can easily hold tens of thousands of Word documents, emails or other types of sensitive data files. These devices make it easier for employees, service providers or data thieves to access, copy or lose an organization's intellectual property or customer data. If employees take ownership of information assets, the strength of an enterprise’s security will improve dramatically.

However, these policies still need to be reinforced by technology-based controls. All evidence points to the need to actively enforce security policies with monitoring to deter and prevent employees from exploiting their legitimate access to enterprise data. If employees know there’s a chance that network filters and log analyzers will catch inappropriate activity, they are far more likely to follow procedure, particularly if disobedience incurs strict disciplinary measures. Technologies such as network access control and mobile device management can provide visibility into whether unmanaged devices are in use, and support limiting corporate network access based on those factors.

0 comments

E-Mail

Username / Password

Password

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy